1. Introduction

In its daily operations, Hellenic Dairies S.A. uses a wealth of data, related to identified individuals, included data related to:

Current and former employees or external partners with a cooperation agreement

Suppliers

Customers

Users of Hellenic Dairies S.A. webpages

Other stakeholders

The purpose of this policy is to describe the relevant legislation and to present the steps, followed by Hellenic Dairies S.A., to ensure its compliance with it.

This audit is conducted on all the systems, the people and the procedures of Hellenic Dairies S.A., also including the members of the board of directors, the service officers, the employees, the customers, the suppliers, the collaborators, the subcontractors, and other third parties, who have access to the systems of Hellenic Dairies S.A..

2. Privacy and Personal Data Protection Policy

2.1 The General Data Protection Regulation

The General Data Protection Regulation 679/2016 (GDPR) is one of the most important pieces of the legislation, which specifies the way in which Hellenic Dairies S.A. performs operations related to data processing. In the case of breach of GDPR, which is designed to protect the personal data of all those residents in the European Union, significant fines are likely to be imposed. It is Hellenic Dairies S.A. policy to ensure that compliance with GDPR and other relevant legislation is clear and can be proved at any time.

2.2 Definition

GDPR includes 26 definitions in total, the most basic of which, related to the specific policy, are cited below:

Personal Data is defined as:

any information related to an identified or identifiable natural person (“data subject”); the identifiable natural person is the one that can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.

”processing” is defined as:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“controller” means:

Natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; Where the purposes and the means of this processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by the Union law or by Member State law.

2.3 Principles Governing the Processing of Personal Data

There are some basic principles on which GDPR is based.

These are listed below:

Personal Data should be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”),

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall, in accordance with Article 89, paragraph 1, not be considered incompatible with the initial purposes (“purpose limitation”),

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimalisation”),

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”),

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, paragraph 1, subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subjects (“storage limitation”),

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).

Hellenic Dairies S.A. must ensure compliance with these principles, both at current processing and at introducing new processing methods, such as new information systems.

2.4 Individual Rights

The data subject shall also have rights, with regard to GDPR. These include:

Right to information

Right to access

Right to rectification

Right to erasure

Right to a restriction of processing

Right to data portability

Right to object

Rights related to automated decision-making, including profiling.

Each of the rights of the natural persons shall be supported by appropriate procedures by Hellenic Dairies S.A.. These procedures ensure that the required actions are made in the framework of the timelines, suggested in GDPR.

These timelines are presented in Table 1.

Data Subject’s Requests

Timeline

Right to information

The moment the data is collected (insofar as it is collected by the data subject) or within a month (insofar as it is not collected by the data subject)

Right to access

One month

Right to rectification

One month

Right to erasure

Without undue delay

Right to restriction of processing

Without undue delay

Right to data portability

One month

Right to object

Upon receiving an objection

Rights related to automated decision-making, including profiling.

Not specified

Table 1– Timelines of underlying data requests

2.5 Consent

Unless required for reasons permitted by GDPR, explicit consent should be obtained by the data subject for the collection and processing of his data. In the case of children under 16, consent should be obtained by the parent / guardian. The data subjects must be informed about their rights –in relation to their personal data – such as the right to consent, the time their consent is received. The information, which concerns the rights of the data subjects, must be easily accessible, free of charge, and written in a clear way.

If the collection of personal data is not performed directly by the data subject, then this information is given within a reasonable time after obtaining the data, and certainly, no later than a one-month period.

2.6 Data protection by design

Hellenic Dairies S.A. has adopted the principle of data protection by design and shall ensure that the definition and design of all the new or the significantly modified systems, which collect or process personal data, shall give due consideration on issues of information security and personal data protection, including carrying out one or more data protection impact assessments (Impact Assessments – DPIAs).

The data protection impact assessment includes:

The manner in which the personal data is being processed and for what purposes

Assessing whether the suggested personal data processing is both necessary and respective to the purpose (or purposes)

Assessment of the hazards to which the persons are exposed, due to the processing of their personal data

The choice of the necessary measures, to address the hazards, which were identified, and demonstrate compliance with the legislation.

The use of techniques such as data minimalization and pseudonymization must be taken into consideration in cases where their implementation is appropriate and feasible.

2.7 Transfer of Personal Data

Transfer of personal data outside the European Union must be carefully considered and before the transfer takes place, in order to ensure that it is done in accordance with the framework, which has been stipulated by GDPR. This partially depends on the judgment of the European Commission, as well as on the adequacy of security, which is implemented regarding the personal data in the country that will receive the data and may be altered over time.

The international transfer of data within organizations must be subjected to legally binding agreements, which grant rights to the data subjects.

2.8 Data Protection Officer

In the framework of GDPR, the assignment of a Data Protection Officer (DPO) is required, in the case that the organization is a public authority, it performs large scale processing, or processes particularly sensitive data categories on a large scale. The DPO must possess the appropriate level of knowledge and may either come from the same organization or be an external partner.

On the basis of these criteria, we consider that the assignment of a Data Protection Officer is not required at Hellenic Dairies S.A.

2.9 Breach Notification

It is a policy of Hellenic Dairies S.A. to inform all those required, in the case of breach, related to personal data, in a fair and respective manner. In line with GDPR, when it becomes known that a breach, which might result in jeopardizing the rights and freedoms of the persons, has taken place, the Hellenic Data Protection Authority (HDPA) shall be informed within 72 hours. This will be performed in accordance with the Information Security Incident Management Procedure of Hellenic Dairies S.A..

Under GDPR, the respective HDPA shall be authorized to impose a range of fines up to 4 percent of the annual worldwide turnover or twenty million euros, whichever of the two is larger, for breach of the Regulation.

2.10 Implementation of Compliance with GDPR

The following actions have been taken to ensure that Hellenic Dairies S.A. shall comply, in any case, with the accountability principle of GDPR:

The legal basis for processing personal data is clear and unambiguous.

All personnel, involved in personal data management, comprehend their liability, and follow the best data protection practices.

All personnel have been trained in data protection.

The obligations regarding consent are met.

There are channels available, through which the data subjects, who wish to exercise their rights regarding their personal data, shall have this possibility.

Reviews of the procedures that concern personal data are often performed.

Data protection by design is adopted for all the new systems and procedures or for important changes of the existing ones.

At the document, where the actions to take place during a procedure are described, the following are listed:

The name of the organisation and relevant details

The purposes of processing personal data

The categories of the persons and the personal data, under processing

The categories of the recipients of the personal data

The agreements and the mechanisms, under which transfers of personal data are performed to countries outside the European Union, also including details on the measures taken

Retention period for personal data

The appropriate technical and organisational measures, which have been implemented.

These actions shall be inspected on a regular basis, as part of the management inspection procedure of the Personal Data Protection Program.